Thursday, December 19, 2024

Federal money is helping states overhaul cybersecurity. What happens if it dries up?

 https://therecord.media/federal-money-states-cybersecurity-funding

Federal money is helping states overhaul cybersecurity. What happens if it dries up?

As hackers pummel state and local governments with cyberattacks that exploit their untrained employees and aging infrastructure, a crucial source of support from the federal government is in danger of disappearing.

In 2021, Congress created a four-year, $1 billion cybersecurity grant program for state and local governments, hoping to equip governors, mayors, and county executives with new resources to protect public services and citizens’ data.

Since then, every state but one has taken advantage of the program to fund initiatives like securing government websites, deploying intrusion-monitoring software, and teaching employees to spot phishing emails. But now the program is in danger of lapsing.

It expires next September, putting its fate in the hands of a GOP-led Congress and President-elect Donald Trump’s team, which will likely include the one governor who rejected federal funding.

If the money dries up, state and local leaders will face difficult choices about whether and how to continue funding vital cybersecurity projects themselves.

“People are chomping at the bit to get this funding,” said William Turner, director of emergency management at Connecticut’s homeland security agency, “and I would really hate to see it go away as we're just getting it off the ground.”

A ‘game-changer’

State and local governments are a top target for cyberattacks, especially ransomware attacks, because of their limited resources and limited tolerance for downtime in essential services, which make them among the vulnerable organizations in the U.S. In 2021, Congress offered a lifeline by tucking a long-discussed cyber grant program into that year’s massive infrastructure bill.

The Federal Emergency Management Agency released $185 million of the funding in 2022, followed by $375 million in 2023 and $280 million this year. As part of the process of receiving funds, committees in each participating state have drafted cyber improvement plans laying out their spending goals.

Already, the first-of-its-kind program has made a major difference in state and local cyber readiness.

“This money is really being put to good use,” said Alex Whitaker, director of government affairs for the National Association of State Chief Information Officers. “States are really encouraged that there is some attention being paid to their needs.”

The funds have “enabled so many local governments to improve their cyber defenses,” said Rita Reynolds, CIO for the National Association of Counties.

Whitaker said the impact has been particularly dramatic in small, cash-strapped communities — places where “their IT guy is also probably mowing the lawn at City Hall and is a city councilor.”

Turner said the program “has been a game-changer” in many towns, bringing not only heightened awareness of their vulnerabilities but also “a dedicated funding source” to begin fixing them.

“It basically gave us a lifeline that is allowing us to bridge or close a gap for a lot of these towns that, without this grant, probably wouldn't be able to do these cyber protections in their communities,” he said.

There have been some challenges. Meeting the initial requirements wasn’t easy for every state, and as Whitaker put it, “it is a lot of work for a relatively small amount of money.”

In Montana, where projects only began operating in November, Burke Honzel, chief of the emergency services agency’s preparedness bureau, said “it's taken us a while to get this started” because of the compliance requirements. 

Also daunting is the requirement for grant recipients to match a portion of the funding, with the amount increasing in every year of the program.

In addition, state and local leaders don’t always see eye-to-eye on spending priorities. By law, 80% of the funding must go directly to local governments, which struggle even more with cybersecurity than state governments do. States can meet that requirement by providing services of their choosing to local governments, but that strategy has been controversial. 

Whitaker said it’s a better way to achieve a “whole-of-state” approach, but according to Honzel, incorporating localities’ needs into statewide programs “can be hard.” Letting counties run their own programs, Reynolds believes, “has made a bigger difference.” 

Still, Whitaker said the program has actually increased trust between state and local governments, because localities have to provide input on the state plans submitted to the feds. 

“It is really creating better relationships between the state and local governments,” Whitaker said, “which is something in cybersecurity that's really been lacking for a long time.”

Already, experts and officials are calling for more money, with several states seeing far more demand than they can accommodate. More than 100 communities across Connecticut requested a combined $12 million in 2022, far outstripping the state’s $2.7 million allotment. “We got well over what we anticipated,” said Turner.

“The demand is always going to exceed what's available,” Reynolds said, “and so priorities become important.”

Software, certifications, and ‘neat ideas’

The grant program has funded a wide range of projects, but most of them fall into one of three categories: training, deploying endpoint detection software, or conducting risk assessments.

Montana is helping local governments conduct regular training sessions for employees, focused on things like not clicking suspicious links or opening unknown attachments. 

“A lot of them do a one-and-done thing,” Honzel, of Montana's emergency services preparedness bureau, said. “We're looking at … projects that might have quarterly or [more frequent] campaigns.”

Across the country, Reynolds said, “educational opportunities on cyber awareness have improved” because of the grants.

Montana is also expanding an existing contract with the cybersecurity firm SentinelOne to provide endpoint detection software to local governments. Deploying the software, which identifies potentially dangerous activity based on analyzing user behavior, is “one of the biggest projects we have,” said Honzel, who expects it to generate “a pretty big increase in our cybersecurity posture” statewide.

Honzel’s team is using one-fifth of its state-level funding for an outreach campaign to educate local governments about the grant and understand their security needs. Montana is also using grant funds to help local government IT workers get cybersecurity certifications, as many of them don’t have security backgrounds, and the certificate programs can be prohibitively expensive.

Other states are creating programs to help local governments switch their websites to .gov domains, which are more secure and trustworthy than the commercial alternatives still widely in use at the local level. Whitaker highlighted New Hampshire’s “really innovative” “Dot-gov in a Box” program, which makes it easy for localities to migrate their domains. 

“New Hampshire has done a great job of taking that money and running with it,” Whitaker said.

Local governments across the country are using their money to deploy multifactor authentication, one of the most vital cyber tools available. MFA “definitely has improved because of the local funding,” Reynolds said. “Many more counties have been able to implement that.”

In Connecticut, some local leaders are discussing jointly funding a shared network operations center that watches for threats. 

“We see some neat ideas,” Turner said, where localities are saying, “Rather than everybody trying to do their own thing, let's think about how maybe we could all go in together and get more bang for our buck.”

Stability, reprieve, or ‘bad shape’

While the grant program is already proving effective at shoring up cybersecurity across the country, that efficacy is limited by its hazy future. Congressional authority for the fund will expire on Sept. 30, 2025, unless lawmakers renew it before then.

Across the country, local leaders are pushing for a reauthorization of what many see as a vital program.

“There's just a big hope that it's going to be continued,” said Whitaker. “To let the program expire would send a pretty troubling message to state and local governments.”

The fund’s temporary nature is discouraging some states from using it, said Whitaker.

“They don't want to be putting all this time into standing up these programs that are just going to go away in four years,” he said. “They really want to know what's happening long-term.”

Honzel said he sees this hesitation in Montana. “In order for us to really be able to make a difference,” he said, “we need to see a stable funding mechanism for this going forward.”

If the funding dries up, states would have to end contracts for attack-monitoring software and security assessments, stop upgrading new equipment, and turn away counties seeking .gov migration help.

“We would see some of our smaller school districts, towns, and cities potentially revert back to where we're at now,” Honzel said.

Counties that signed multi-year contracts would be on the hook for whatever costs remained, potentially crippling their budgets.

“We're going to be in a bad shape if they pull the funding,” Turner said.

The political environment is not favorable to renewal. Trump and congressional Republicans are looking for ways to cut the federal budget, and a $1 billion cyber fund will be an easy target. South Dakota Gov. Kristi Noem, Trump’s pick to lead the Department of Homeland Security, which oversees the fund, is an avowed critic of the program — she made her state the only one to reject funding in 2023.

Facing these headwinds, advocates for the program are gearing up to promote its value. DHS officials have asked state CIOs to meet with them to discuss the fund, according to Connecticut’s Turner, who said “we're going to take advantage of that,” as well as meeting with lawmakers.

“Whether it’s through our associations or our delegation on the congressional side,” he said, “we're going to continue to reinforce the importance of this grant program.”

Rep. Bennie Thompson (D-Miss.), the top Democrat on the House Homeland Security Committee and a key advocate for the program, said “every stakeholder I’ve spoken to” has urged Congress to reauthorize the fund, which he plans to push for next year. He and his fellow committee Democrats have received suggestions from state IT leaders and federal officials about ways to improve the program.

“Better security means government services are more resilient and more available,” Thompson said, “and that our over-extended cyber workforce can focus on more novel threats.”

State leaders hope the rest of Congress feels that same urgency.

“If the federal government continues to emphasize the importance of cyber as a national priority under homeland security,” said Turner, “we need to make sure that we have the funding that goes along with it.”

Correction: A previous version of this story described several Montana initiatives as ones undertaken by Minnesota.

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)